[ JagoPG Site ]
Home Publications Cypher user data on Debian & Windows
This publication is more than a year old. The information can be out-dated.

Cypher user data on Debian & Windows

For those people that move around with the computer from one place to another, like my own case, it is a good practice to encrypt the content of the hard drive. This way, in the unlucky case of losing the device by a theft, our data won't be exposed to other people.

I am going to show you how to cypher a partition with Windows 8.1 installed and other partition with Debian Jessie. In the second case, it is recommended to cypher all the partitions that compose the installation of Debian, for complicating the access to data. If you already have the installation done, you can still cypher the user data.

Encrypting a user folder /home in Debian Jessie

  • Firstly, you have to install the encrypting application, and initialise the module.

    $ sudo aptitude install ecryptfs-utils
$ sudo modprobe ecryptfs

  • Log out with the user which folder will be encrypted, and log in with the root user. I do it by pressing CTRL, ALT and F2 keys for opening a new session on the terminal.

  • The following command creates a backup of the content from the folder that will be encrypted, it is not necessary to do it by hand. For performing this step, you require approximately 150% of space from the content that will be cypher.

    # ecryptfs-migrate-home -u <USER_NAME>

  • After the command has finished, do not reboot the system. On first place you have to log in with the user which personal folder has been encrypted, and check that the user can read and write data. If the user is unable to do this operations, the folder has to be restored:

    # rm -r /home/<USER>
# ls -l
  /home/<USER>
  /home/<USER.fsj2dngf>
# mv /home/<USER.fsj2dngf> /home/<USER>

  • Pay attention to the name that the encrypting tool has set to the user folder backup.

  • On the contrary, if the encrypting operation has been successful, you can remove the backup folder:

    # ls -l
  /home/<USER>
  /home/<USER.fsj2dngf>
# rm -r /home/<USER.fsj2dngf>

  • Finally, you have to save the passphrase, just in case you lost or forget the user password. Obviously, you have to save this passphrase in a different device.

    $ ecryptfs-unwrap-passphrase > usuario_passphase.txt

  • Optionally, you can also cypher the swap partition, for decreasing the chances of leaving a vulnerability.

    $ sudo aptitude install cryptsetup
$ sudo ecryptfs-setup-swap

 Encrypting a Windows 8.1 partition with BitLocker

  • Firstly, if you do not have TPM in the computer, you have to modify a group directive, go to: "Control Panel > Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives".

  • Edit "Require additional authentication at startup policy".

  • Set the policy to enabled and make sure "Allow BitLocker without a compatible TPM" is checked.

  • Then go to "Control Panel > BitLocker Drive Cypher":

    • Choose which partition you want to encrypt and click over "Activate BitLocker". The application will scan the drive, and right away the wizard will ask for a password.
    • Next; you will be asked for where to store the recovery key: depending on your Windows version you will be offered to store it in the Outlook account or in a external drive - for instance, an USB stick.
    • You can choose if encrypting the whole partition, or just the existing data: the difference is that with the second method you will be able to recover the data you have removed with no need of decrypting.

Published on 13 Dec 2015